top of page
Writer's pictureAntriksh Sharma

Add or Remove a User or Group from all Workspaces in Power BI Service

Updated: Jun 4, 2023

Here is PowerShell script that adds a particular user or a group to all the workspaces in a tenant.


The Where-Object method filters the workspaces to be just Active ones and the ones that are not MyWorkspace of every user.


After that ForEach-Object Method iterates the result of Where-Object and adds the user by invoking Add-PowerBIWorkspaceUser method and uses the ID from the currently iterated object.


Login-PowerBIServiceAccount

$UserEmail = "abx@xyz.onmicrosoft.com"
$AccessType = "Admin"

Get-PowerBIWorkspace -Scope Organization -WarningAction Ignore |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        Add-PowerBIWorkspaceUser -Scope Organization -WarningAction Ignore `
            -Id $Workspace.Id`
            -UserPrincipalName $UserEmail `
            -AccessRight $AccessType
        Write-Host "Loaded Workspace and added user ($UserEmail) to Workspace = $($Workspace.Name), ID = $($Workspace.ID)" 
    }  

Once I had the access to all workspaces I wanted to add a Secruity group to each workspace instead of individual users.


$Body = '{
  "identifier": "29e3c3d2-b18e-46e9-92d2-dc03d2780a4e",
  "groupUserAccessRight": "Admin",
  "principalType": "Group"
}'
  
$ErrorActionPreference = "Stop"

Get-PowerBIWorkspace -Scope Organization |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        try{Invoke-PowerBIRestMethod -Method POST -Url "https://api.powerbi.com/v1.0/myorg/groups/$($Workspace.Id)/users" -Body $Body}
        catch{
            $message = $_.Exception.InnerException.Message| ConvertFrom-Json
            if($message.code -eq "AddingAlreadyExistsGroupUserNotSupportedError"){
                Write-Host -Foreground Red -Background Black "Group or User already exists"
            }
        }
     }

Once the Security group is added I can remove myself from each workspace using:


$UserEmail = "abc@.onmicrosoft.com"

Get-PowerBIWorkspace -Scope Organization |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        Remove-PowerBIWorkspaceUser -Scope Organization `
            -Id $Workspace.Id `
            -UserPrincipalName $UserEmail
        Write-Host "Removed $($UserEmail) from Workspace $($Workspace.Name)"
    }

Complete code:

Login-PowerBIServiceAccount

# ================================================
# Add a user to all workspaces:
# ================================================

$UserEmail = "abc@xyz.onmicrosoft.com"
$AccessType = "Admin"

Get-PowerBIWorkspace -Scope Organization -WarningAction Ignore |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        Add-PowerBIWorkspaceUser -Scope Organization -WarningAction Ignore `
            -Id $Workspace.Id `
            -UserPrincipalName $UserEmail `
            -AccessRight $AccessType
        Write-Host "Loaded Workspace and added user ($UserEmail) to Workspace = $($Workspace.Name), ID = $($Workspace.ID)" 
    } 
    
    
# ================================================
# Add a Security Group
# ================================================

$Body = '{
  "identifier": "29e3c3d2-b18e-46e9-92d2-dc03d2780a4e", # Group Object ID get it from Azure
  "groupUserAccessRight": "Admin",
  "principalType": "Group"
}'
  
$ErrorActionPreference = "Stop"

Get-PowerBIWorkspace -Scope Organization |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        try{
            Invoke-PowerBIRestMethod -Method POST `
                -Url "https://api.powerbi.com/v1.0/myorg/groups/$($Workspace.Id)/users"`
                -Body $Body
        }
        catch{
            $message = $_.Exception.InnerException.Message | ConvertFrom-Json
            if($message.code -eq "AddingAlreadyExistsGroupUserNotSupportedError"){
                Write-Host -Foreground Red `
                -Background Black `
                "Group or User already exists"
            }
        }
     }
     
# ================================================
# Remove a user from all workspaces
# ================================================

Get-PowerBIWorkspace -Scope Organization |
    `Where-Object {
        $_.State -eq "Active" -and $_.Type -eq "Workspace"
    } |
    ` ForEach-Object {
        $Workspace = $_
        Remove-PowerBIWorkspaceUser -Scope Organization `
            -Id $Workspace.Id `
            -UserPrincipalName $UserEmail
        Write-Host "Removed $($UserEmail) from Workspace $($Workspace.Name)"
    }
2,048 views0 comments

Comments


bottom of page